vbatts/too-soon
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
too-soon/README.md
Vincent Batts be72e38bfc
main: adding too-soon remote to check a remote hosts cert 
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2025-02-17 17:16:29 -05:00

66 lines
2.5 KiB
Markdown
Raw Blame History

# too-soon
alert on upcoming expirations.
like, certificates for my domain expire too soon.
Default is expiration within 20 days.
## inital functionality
Arguments passed to the tool are PEM encoded x509 files.
No output at all if all good.
If any of the PEM x509 files have DNS Names _and_ the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code.
## Install
```shell
go install git.batts.cloud/vbatts/too-soon@latest
```
## Usage
with the `pem` command you run against PEM files local to the command and return code is the number of certificates that are within the range of being expired, or are already expired:
```shell
root@infra1:~/lb# too-soon pem letsencrypt/live/example.com-0002/fullchain.pem
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : TIME TO RENEW CERTIFICATE (already expired!)
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : 2022-02-01 09:51:49 +0000 UTC
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : [example.com]
certificates need to be renewed
root@infra1:~/lb# echo $?
1
```
By default, if there are no expired certificates, then nothing is printed to stdout.
Use the `--debug` flag to see the datetime of the certificates:
```shell
root@infra1:~/lb# too-soon -D pem letsencrypt/live/example.com-0007/fullchain.pem
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : [example.com]
```
Likewise, you can check the expiration of a remote host with the `remote` command:
```shell
vbatts@jungle:~$ too-soon -D remote example.com
DEBU[0000] server: example.com
DEBU[0000] version: 772
DEBU[0000] -- cert serial: 498c7524e0cbd9f3fba887d6b7bba9dacac
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : [example.com]
DEBU[0000] -- cert serial: 838f6c63ceb1398c6206628315c9fdde
DEBU[0000] -- cert: skipping as there are no DNS names
DEBU[0000] -- cert serial: 498c7524e0cbd9f3fba887d6b7bba9dacac
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : [example.com]
```
## Combo
Whether you use a cronjob or a systemd timer, you can chain this command to a daily/weekly job to check an email yourself:
```shell
too-soon pem "fullchain.pem" || mail -s "$(shell hostname): certificates expire soon" webmaster@example.com
```
Reference in a new issue View git blame Copy permalink